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Introduction 

"Non-monotonic" logical systems are logics in which the introduction of new 
axioms can invalidate old theorems. Such logics are very important in modeling the 
beliefs of active processes which, acting in the presence of incomplete information, must 
make and subsequently revise predictions in light of new observations. We present the 
motivation and history of such logics. We develop model and proof theories, a proof 
procedure, and applications for one important non-monotonic logic. In particular, we 
prove the completeness of the non-monotonic predicate calculus and the decidability of the 
non-monotonic sentential calculus. We also discuss characteristic properties of this logic 
and its relationship to stronger logics, logics of incomplete information, and truth 
maintenance systems. -— - 



The Problem of Incomplete Knowledge 

The relation between formal logic and the operation of the mind has always 
been unclear. Some of the more striking differences between properties of formal logics 
and mental phenomenology occur in situations dealing with perception, ambiguity, 
common-sense, causality and prediction. One common feature of these problems is that 
they seem to involve working with incomplete knowledge. Perception must account for the 
noticing of overlooked features, common-sense ignores myriad special exceptions, assigners 
of blame can be misled, and plans for the future must consider never-to-be-realized 
contingencies. It is this apparently unavoidable making of mistakes in these cases that 
leads to some of the deepest problems of the formal analysis of mind. 

Some studies of these problems occur in the philosophical literature, the most 
relevant here being Rescher's [1964] analysis of counterfactual conditionals and belief- 
contravening hypotheses. In artificial intelligence, studies of perception, ambiguity and 
common-sense have led to knowledge representations which explicitly and implicitly 
embody much information about typical cases, defaults, and methods for handling 
mistakes. [Mirisky 1914, Reiter 1978] 'Studies of problem-solving and acting have 
attempted representing predictive and causal knowledge so that decisions to act require 
only limited contemplation, and that actions, their variations, and their effects can be 
conveniently described and computed. [Hayes 1970, 1971, 1973, Doyle 1978] Indeed, one 
of the original names applied to these efforts, "heuristic programming", stems from 
efficiency requirements forcing the use of methods which occasionally are wrong or which 
fail. The possibility of failure means that formalizations of reasoning in these areas must 
capture the process of revisions of perceptions, predictions, deductions and other beliefs. 

In fact, the need to revise beliefs also occurs in deductive systems working within 
traditional logics. Much work has been done on mechanized proof techniques for the 



first-order predicate calculus. CJ.A. Robinson 1965, Nevins 1914, Moore 19751 Incomplete 
information is represented in these systems as disjunctions of the several possibilities where 
the individual disjuncts may be independent of the axioms being used, that is, cannot be 
proven or contradicted by arguments from the axioms. Thus, proof procedures engage in 
case-splitting, in which disjuncts are considered in a case-by-case fashion. At any given 
time, the proof procedure will have some set of current assumptions, from which the 
current set of formulas has been derived. If failures in the proof attempt lead to 
investigating new splits, and so change the set of current assumptions, the current set of 
derived formulas must also be updated, for it is the current set of formulas on which the 
proof procedure bases its actions. 

Classical symbolic logic lacks tools for describing how to revise a formal theory 
to deal with inconsistencies caused by new information. This lack is due to a recognition 
that the genera] problem of finding and selecting among alternate revisions is very hard. 
(For an attack on this problem, see Rescher C19641 Quine and Ullian £19783 survey the 
complexities.) Although logicians have been able to ignore this problem, philosophers 
and researchers in artificial intelligence have been forced to face it because humans and 
computational models are subject to a continuous flow of new information. One important 
insight gained through computational experience is that there are at least two different 
problems involved, what might be called "routine revision" and "world-model 
reorganization". 

World-model reorganization is the very hard problem of revising a complex 
model of a situation when it turns out to be wrong. Much of the complexity of such 
models usually stems from parts of the model relying on descriptions of other parts of the 
model, such as inductive hypotheses, testimony, analogy, and intuition. An example of 
such large-scale reorganization would be the revision of a Newtonian cosmology to account 
for perturbations in Mercury's orbit. Less grand examples are children's revisions of their 
world -models as discovered by Piaget, and the revision of one's opinion of a friend upon 
discovering his dishonesty. 

Routine revision, on the other hand, is the problem of maintaining a set of facts 
which, although expressed as universally true, have exceptions. For example, a program 
may have the belief that all animals with beaks are birds. Telling this program about a 
platypus will cause a contradiction, but intuitively not as serious a contradiction as those 
requiring total reorganization. The relative simplicity of this type of revision problem 
stems from the statement itself expressing what revisions are appropriate by referring to 
possible exceptions. Such relatively easy cases include many forms of inferences, default 
assumptions, and observations. 

Classical logics, by lumping all contradictions together, has overlooked the 
possibility of handling the easy ones by expanding the notation in which rules are stated. 



That is, we could have avoided this problem by stating the belief as "If something is an 
animal with a beak, then unless proven otherwise } it is a bird." If we allow statements of 
this kind, the problem becomes how to coordinate sets of such rules. Each such statement 
may be seen as providing a piece of advice about belief revision; for our approach to 
make sense, all the little pieces of advice must determine a unique revision. This is the 
subject of this paper. Of course, even if we are successful, the world-model 
reorganization problem will still be unsolved. But we hope factoring out the routine 
revision problem will make the more difficult problem clearer. 



Approaches to Non-Monotonic Logic and the Semantical Difficulties 

The study of the problem of formalizing the process of revision of beliefs has 
been almost completely confined to the practical side of artificial intelligence research, 
where much work has been done. [Hewitt 1972, McDermott 1974, Stallman and Sussman 
1977, Doyle 1978] Theoretical foundations for this work have been lacking. This paper 
studies the foundations of these forms of reasoning with revisions which we term non- 
monotonic logic. 

Traditional logics are called monotonic because the theorems of a theory are 
always a subset of the theorems of any extension of the theory. (This name for this 
property of classical logics was used, after a suggestion by Pratt, in Minsky's Q974D 
discussion. Hayes C1973] has called this the "extension" property.) In this paper, by 
theory we will mean a set of axioms. A more precise statement of monotonicity is this: If 
A and B are two theories, and A sB, then Th(A)'c Th(B), where Th(S) = {p: Shp) is 
the set of theorems of S. We will be even more precise about the definition of h later. 

Monotonic logics lack the phenomenon of new information leading to a revision 
of old conclusions. We obtain non-monotonic logics from classical logics by extending 
them with a modality ("consistent") well-known in artificial intelligence circles, and show 
that the resulting logics have well-founded, if unusual, model and proof theories. We 
introduce the proposition -forming modality M (read "consistent"). Informally, Nip is to 
mean that p is consistent with everything believed, (See [McCarthy and Hayes 19691) 
Thus one small theory employing this modality would be 

(1) noon A M[sun-shining] ^> sun-shining 

(2) noon . 

(3) eclipse => ^sun-shining, 

in which we can prove ...'"'• 

(4) sun-shining. 
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If we add the axiom 

(5) eclipse 

then (4) is inconsistent, so (4) is not a theorem of the extended theory. 

The use of non-monotonic techniques has some history, but until recently the 
intuitions underlying these techniques were inadequate and led to difficulties involving the 
semantics of non-monotonic inference rules in certain cases. We mention some of the 
guises in which non-monotonic reasoning methods and belief revising processes have 
appeared. 



Michael Scriven Q9S9, 1963] proposed that explanations, and in particular 
historical explanations of rational actions or decisions, are based not on universal or 
statistical laws, but rather on truisms or more generally, what he terms "normic" 
statements. Normic statements include such statements as "In delicate circumstances, 
rational men act cautiously," or "'All murders are committed from motives of revenge, lust, 
jealousy, hate, greed, or fear/' Such statements frequently involve terms such as 
"naturally," "normally," "typically," "tendency," "ought," "should," and others. Normic 
statements provide plausible explanations of actions or situations, explanations which may 
be invalidated by providing exceptions, special cases, or other mediating circumstances-, 
that is, instances of normic statements are defeasible. In this way, normic statements seem 
closely related to statements expressible in non-monotonic logic. Scriven pointed out that 
while in some cases normic statements could imply statistical statements and so have some 
predictive power, in other cases normic statements can only supply coherent explanations, 
cannot rule out alternative coherent arguments, and thus fail to have predictive power. 
De Kleer C1979] amplifies this point in considering explanations of the behavior of 
designed artifacts. As we shall see in this paper, this circumstance is also highly 
suggestive of non-monotonic logic. 

In PLANNER [Hewitt 19723, a programming language based on a negationless 
calculus, the THNOT primitive formed the basis of non-monotonic reasoning. THNOT, as 
a goal, succeeded only if its argument failed, and failed otherwise. Thus if the argument 
to THNOT was a formula to be proved, the THNOT would succeed only if the attempt to 
prove the embedded formula failed. In addition to the non-monotonic primitive THNOT, 
PLANNER employed antecedent and erasing procedures to update the data base of 
statements of beliefs when new deductions were made or actions taken. Unfortunately, it 
was up to the user of these procedures to make sure that there were no circular 
dependencies x>r mutual proofs between beliefs. Such circularities could lead to, for 
example, errors of groundless belief (due to two mutually supporting beliefs) or non- 
terminating programs (a more technical but no less irritating problem). 
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Two related forms of non-monotonic deductive systems are those described by 
McCarthy and Hayes [1969] and Sandewall [19121 McCarthy and Hayes give some 
indications of how actions might be described using modal operators like "normally" and 
"consistent", but present no detailed guidelines on how such operators might be carefully 
defined. Sandewall, in a deductive system applied to the frame problem (which is 
basically the problem of efficiently representing the effects of actions; see [Hayes 19733) 
used a deductive representation of non-monotonic rules based on a primitive called 
UNLESS. This was used to deduce conditions of situations resulting from actions except in 
those cases where properties of the action changed the extant conditions. Thus one might 
say that things retain their color unless painted. 

Sandewall's interpretation of UNLESS was in accord with then current intuitions: 
UNLESS(p) is true if p is not deducible from the axioms using the classical first-order 
inference rules. Unfortunately, this definition has several problems, as pointed out by 
Sandewall. One problem is that it can happen that both p and UNLESS! p) are deducible, 
since from a rule like "from UNLESS(C) infer D" D can be inferred, but at the same time 
UNLESS(D) is also deducible since D is not deducible by classical rules. These problems 
are partly due to the dependence of the notion of "deducible" on the intention of 
deduction rules based on "not deducible". This question -begging definition leads to 
perplexing questions of beliefs when complicated relations between UNLESS statements are 
present. For example, given the axioms 



A A Unless(B) ^ C 
A A Unless(C) => B, 

we are faced with the somewhat paradoxical situation that either B or C can be deduced, 
but not both simultaneously. On the other hand, in the axiom system 

,■■' ■^..'..,. a ■•■ ." • ' ■,'■' ,,;•■ ;.;,-..: ,■ ..' ■. '"'• ■■'..'".'.;. : . ' 

A A Unless(B) 3 C 

A A Unless(C) 3.D : .' 

A A Unless(D) 3 E, 

one would expect to see A, C and E believed, and B and D not believed. 

One might be tempted to dismiss these anomalous cases as uninteresting. In fact, 
such cases are not perverse; rather, they occur naturally and are very important in many 
applications. One common way they are introduced is by employing assumptions which 
require further assumptions to be made. Of course, such hierarchical relations between 
choices can be avoided in any fixed theory by rephrasing the system in terms of one 
universal state variable, but such a solution is practically undesirable and inefficient 
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Instead, it is necessary to employ systems which allow such patterns of dependency 
relationships to occur. 

Spurred by Sandewall's presentation of the problems arising through such non- 
monotonic inference rules, Kramosil [1975] considered sets of inference rules of the form 

"From hp, f/q, infer hr", 

where h and U are tokens of the meta-language and the number of antecedents can be 
arbitrary, Kramosil defined the set of theorems in such a system as the intersection of all 
subsets of the language closed under the inference rules. He noted that this set may not 
itself be closed under the inference rules, and showed that in the special case in which the 
inference rules preserve truth values (that is, are effectively monotonic) that if the set of 
theorems of the monotonic inference rules alone is also closed with respect to the non- 
monotonic inference rules, then this set is the set of non -monotonic theorems. Kramosil' s 
conclusion was that a set of inference rules defines a formalized theory (one in which all 
formulas have a well-defined truth value) if and only if this same theory is that of the 
monotonic inference rules alone, which he interprets to mean that the non -monotonic rules 
are either useless or meaningless. 

As we will show in this paper, Kramosifs interpretation was too pessimistic with 
regard to the possibility of formalizing such rules and their unusual properties. As we 
have argued above, the purpose of non-monotonic inference rules is not to add certain 
knowledge where there is none, but rather to guide the selection of tentatively held beliefs 
in the hope that fruitful investigations and good guesses will result. This means that one 
should not a priori expect non-monotonic rules to derive valid conclusions independent of 
the monotonic rules. Rather one should expect to be led to a set of beliefs which while 
perhaps eventually shown incorrect will meanwhile coherently guide investigations. 

Non-monotonic inference rules need not appear in the explicit forms discussed 
by Kramosil. Many authors have described artificial intelligence programs which exhibit 
non-monotonic behavior only implicitly. Non-monotonicity in these systems stems 
typically from extra-logical devices like conflict resolution strategies, which use 
production-rule orderings and specificity criteria to determine the next system action. 
Pratt C1977] and Joshi [19783 term this property of their systems "non-monotonicity". 

One class of non-monotonic inferences consist of what might be called "minimal" 
inferences, in which a minimal model for some set of beliefs is assumed by assuming the 
set of beliefs to be a complete description of a state of affairs. Joshi and Rosenschein 
Q97S1 describe a partial-matching procedure based on the operation of taking least upper 
bounds in a lattice of sets of beliefs. This has the effect of assuming just enough 
additional information, to allow a desired partial match to succeed. McCarthy [19773 



outlines a procedure called "circumscription", in which the current partial extension of 
some predicate is assumed to be the complete extension. Of course, new examples of the 
predication can invalidate previous completeness assumptions. Reiter C1977] analyzes the 
related technique of assuming false all elementary predications not explicitly known true. 
He outlines some conditions under which data bases remain consistent under this "closed 
world assumption", and shows certain forms of data bases to be naturally consistent with 
this assumption. However, the closed world assumption does not seem to allow for any 
locality of definition of defaults, since it applies this assumption to all primitive predicates, 
and does not allow defaults applied to defined predicates. Circumscription, on the other 
hand, would seem to be applicable to any predicate whatever. Although they describe 
tools for non-monotonic reasoning, none of these authors discuss the problem of revision 
of beliefs. 

These problems were mostly resolved in the Truth Maintenance System (TMS) of 
Doyle C19783 and related systems [London 1977, McAllester 1978] in which each statement 
has an associated set of justifications, each of which represents a reason for holding the 
statements as a belief. These justifications are used to determine the set of current beliefs 
by examining the recorded justifications to find well-founded support (non-circular 
proofs) whenever possible for each belief. When hypotheses change, these justifications 
are again examined to update the set of current beliefs. This scheme provides a more 
accurate version of antecedent and erasing procedures of PLANNER without the need to 
explicitly check for circular proofs. The non-monotonic capability appears as a type of 
justification which is the static analogue of the PLANNER THNOT primitive. Part of the 
justification of a belief can be the lack of valid justifications for some other possible 
program belief. This allows, for example, belief in a statement to be justified whenever 
no proof of the negation of the statement is known. This representation of non-monotonic 
justifications, in combination with the belief revision algorithms, produced the first system 
capable of performing the routine revision of apparently inconsistent theories into 
consistent theories. Part of this revision, process is a backtracking scheme called 
dependency -directed backtracking. CStallman and Sussman 1977] We will analyze this 
system in more detail later, but first we provide some theoretical foundations for this work. 

In outline, our analysis of these questions will proceed as follows. We first 
define a standard language of discourse including the non-monotonic modality M 
("consistent"). The semantics of the language is based on models constructed from fixed 
points of a formalized non-monotonic proof operator. Provability in this system is then 
defined, and a proof of completeness for this system is presented. This is augmented by a 
proof procedure for a restricted class of theories and an analysis of some of the structure 
of models of non-monotonic theories. 
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Linguistic Preliminaries 

We settle on a language L which will be the language of all theories mentioned 
in the following. L has an infinite number of constant letters, variable letters, predicate 
letters, and propositional constant letters. The formation rules of the language are as 
follows: 

The atomic formulas of L are the propositional constant letters and the strings of 
the form g'(x^,...,x n ) for predicate letter g and variables or constants x^, ... , x n . The 
formulas of L are either atomic formulas or, for formulas p, q and variable letter x, 
strings of the form Mp, -»p, p^q, and Vxp. We use the usual abbreviations of pAq for 
-«Ep3-iq] 7 pvq for ^p=>q, 3xp for -^Vx-ip, and abbreviate -'Nhp as Lp. A statement is a 
formula with no free variables. The usual criteria for determining free variables apply 
(see CMendelson 19643). In addition, a variable x is free in Mp if and only if x is free 
in p. 

In this paper, the letters C, D, E and F will be used as syntactic variables 
ranging over propositional constant letters. The letters p, q and r will be used for 
formulas. Implicit quasi-quotation is used throughout. That is, if p and q are formulas, 
p=>q is the formula obtained by concatenating p, the implication symbol, and q. This 
notation extends to handle finite sets of formulas in the following way: if Q is a finite set 
of formulas, and Q appears in a quasi-quoted context, it always stands for the 
conjunction of its elements. For example, Q=>p means the formula obtained by conjoining 
all the elements of Q and following the result with the implication symbol and p. (If Q is 
empty, it stands for Cv-^C). Since syntax is not a preoccupation of this paper, the 
presentation is not rigorous in specifying the number of arguments of predicate letters, 
parenthesization, etc. 

The inferential system used defines a first-order theory to be a set of axioms 
including the following infinite class of axioms: 

For all formulas p, q and r: 
(6) (i) p=>[qz>p] 

(ii) Cp3[ q r>r]]3[[p3q]u[qr> r ]] 

(iii) C-q3np]3[[-iq3p]z>q] 

(iv) Vxp(x)=>p(t) 
where p(x) is a formula and t is a constant or a variable free for x in p(x) and p(t) 
denotes the result of substituting t for every free occurrence of x in p(x), and 

(v) VxCp^q]3[p3Vxq] 
if p is a formula containing no free occurrence of x. (These axioms are from CMendelson 
1964].) These are the logical axioms. All other axioms are called proper, or non -logical 
axioms. (This terminology is misleading for axioms which are logical consequences of the 
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logical axioms, but we will ignore this inelegance.) The theory with no proper axioms is 
called the predicate calculus (PC). (Note that this theory also contains strings containing 
the letter M, so it is actually not strict PC.) The sentential calculus (SC) consists of 
axioms which arc .instances . of (i), (ii) and (iii) only. A theory consisting only of the 
sentential calculus plus a finite number of statements is called a statement theory. 

In this paper, the letters A and B will be used to stand for theories. 



Proof-Theoretic Operators 

- -The monotonic rules of inference we will use (also from [Mendelson 19643) are 

(7) Modus Ponens: from p and p^q, infer q 
Generalization: from p, infer Vx p. 

If S is a set of formulas, and p follows from S and the axioms of A by the rules (7), we 
say Sh^p. We abbreviate hpQ by h alone. We define Th(S) = {p: Shp}. 

The particular inference rules (7) are not very important. Later in the paper, 
^g^ when we concentrate on statement theories, the rule of generalization will be dropped 

^without much fanfare. All that is important is that the operator Th have the following 
' ^' ■ p 

(8) (i)AcTh(A) 

(ii) If A cB", thenTh(A) eTh(B), 

and the property (9) of idempotence 

(9) Th(Th(A)) =Th(A). 

Clearly, any classical inference system satisfies these conditions. Condition (9) can also be 
viewed as a fixed point equation, stating that the set of theorems monotonically derivable 
from a theory is a fixed point of the operator which computes the closure of a set of 
formulas under the monotonic inference rules. A well-known property of the monotonic 
inference rules is that Th(A) is the smallest fixed point of this closing process; in fact, 
that Th( A) is the intersection of all S such that A Q S and Th(S) = S. 

In order to deal with non-monotonic logic, we need a new inference rule like this 
one (which we will take back immediately): 

(10) "If[/ A np, thenh A Mp." 
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That is, if a formula's negation is not derivable, it may be inferred to be consistent. As it 
stands, however, this rule is of ho value because it is circular. "Derivable" means 
"derivable from axioms by inference rules", so we cannot define an inference rule in terms 
of derivability so casually. 



Instead, we retain the definition of h as meaning monotonic derivability, and 
define the operator NM as follows: for any first -order theory A and any set of formulas 
S £ L (L, recall, is the entire language), let 

(11) . NM A (S) =Th(AuAs A (S)), 
where As^(S), the set of assumptions from S, is given by 

(12) As A (S) = {Mq: q € Land iq $ S} -Th(A). 

Notice that theorems of A of the form Mq are never counted as assumptions. NM A takes a 
set S and produces a new set which includes Th( A) but also includes much more: 
everything provable from the enlarged set of axioms and assumptions which is the 
original theory together with all assumptions not ruled out by S. We depict this situation in 
the following figure, for the special case of S = NM A (S), in which S is a fixed point of 
the operator. 



A 
TK(A) 



As A (S) 



NM A (S) 




We would like to define TH(A), the set of theorems non-monotonically derivable 
from A, by analogy with the monotonic case as 
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(13) 'TH(A) = the smallest fixed point of NM A . M 

This "definition" tries to capture the idea of adding the non-monotonic inference rule (10) 
to a first-order theory A. This is plausible, since it demands a set such that all of its 
elements may be proven from axioms and assumptions not wiped out by the proofs. 
Unfortunately, there is in general no appropriate fixed point of NM a. It can happen that 
a theory has no fixed point under the operator NM^. Even if there are fixed points, 
there need not be a smallest fixed point. 

For example, consider the theory Tl obtained as 

(14) Tl = PC u { MC^D, MD=>-€ }, 

where C and D are propositional constants. NMyj has two fixed points, which can be 
called Fl and F2. Fl contains -C but not ->D, and F2 contains -^D but not -C Since -^D is 
not in Fl, MD is in Fl, and so -^C is in Fl. Similarly, the presence of -*D in F2 keeps -C 
out and MC in F2. The problem is that neither FlnF2 nor FluF2 is a fixed point of 
NM T1 , Since neither -C nor -D is in FlnF2, MC and MD are both in NM T1 (FlnF2j, so 
-C and -D are in NM T1 (FlnF2), so FlnF2 ^ NM T1 (FlnF2). Similarly, both ^C and M> 
are in NM Ti (FluF2), so applying NM T1 to the union results in a smaller set. So in this 
case there is no natural status for -C and -»D. 

An example of a theory with no fixed point of the corresponding operator is the 
theory T2 obtained as 

(15) T2 = PC u { MC=>-C }. 

In this case, NM^ has no fixed point, since alternate applications of the operator to any 
set produce new sets in which either both MC and -C exist or neither exist. 

Therefore, we must accept a somewhat less elegant definition of TH. Let us 
define TH as. follows: 

(16) TH(A) =0({L}u{S:NM A (S) =S}). 

That is, the set of provable formulas is the intersection of all fixed points of NMa, or the 
entire language if. there are no fixed points. We will use the abbreviation Ahp to indicate 
that p € TH(A). With this definition, neither MC nor MD is a theorem of Tl in (14), 
but MCvMD is. In the following, we will abbreviate {S: NM A (S) = S} as FP(A), and 
(somewhat abusing the terms) call the elements of this set fixed points of the theory A. 

This definition of the provable statements is quite similar in some respects to the 
definition of compatibility-restricted entailment given by Rescher [19641 In that system, a 
set S of formulas is said to CR -entail a formula p if p follows in the standard fashion 
from each of one or more "preferred" maximal consistent subsets of S. In the present case, 
we obtain the preferred subsets of formulas as fixed points of the operator NM A (the 
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"compatible subsets"), but in contrast to normal deducibility where the empty set always 
suffices, there need not be any such subsets. This case produces the entire language as the 
set of provable formulas by vacuous fulfillment of the condition of derivability. 

One unusual consequence of this definition of provability is that the deduction 
theorem does not hold for non-monotonic logic. For example, while { C } I* NILC, it is 
not true that KC^MLC. This failure of the deduction theorem is to be expected, 
however, since the non-monotonic provability of a formula depends on the completeness 
of the set of hypotheses, that is, on the fact that no other axioms are available. The 
deduction theorem, however, would if valid produce implications valid no matter what 
other axioms were added to the system, even if these axioms would invalidate the 
completeness condition used in the derivation of the implication. One should note that 
although the deduction theorem does not hold in general in non-monotonic logic, there are 
many particular cases in which it does hold. For instance, if some conclusion follows 
classically from some hypotheses, then the expected implication will also hold. In 
addition, not all properly non-monotonic theories are such that the deduction theorem 
fails, It is an interesting open problem to characterize the precise cases in which the 
deduction theorem is valid in non-monotonic theories. 

So far, we have defined "provability" without defining "proof". For a formula 
to be provable in a theory, it must have a standard proof from axioms and assumptions 
in each fixed point of the theory, and, as yet, we have no way of enumerating fixed 
points or even of describing one. It is worth note that when a theory has more than one 
fixed point, the fixed points are inaccessible in the sense that the sequence Th(A), 
NM A (Th(A)), NM A (NM A (Th(A))), ... does not converge to a fixed point. We have a 
proof, which we do not present here, that if NM A has exactly one fixed point, then the 
fixed point is the limit of successive applications of NM A to the sequence of sets starting 
with A. We will eventually attend to defining non-monotonic proof, but first we turn our 
attention to the topic of semantics. 



Model Theory 

The semantics of non-monotonic logic is built on the notion of model, just like 
the semantics of classical logic. In fact, the definition of model for a non-monotonic 
theory depends directly on the usual definition. 

An interpretation V of formulas over a language L is a pair <X, U>, where X is 
a nonempty set, and U is a function which associates relations and values over the domain 
X with each predicate, variable, constant and propositional constant letter in the usual 
fashion. That is, for each n-ary predicate letter P, U(P) £ X n ; for each variable or 
constant x, U(x) e X; and for each propositional constant letter C, U(C) e {0, 1}. 
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Using this mapping function U we define the value V(p) of a formula p in the 
interpretation V to be an element of {0, 1} satisfying the following conditions: For an 
atomic formula p(x^ ..., x n ), the value is 1 if <U(xj), ..., U(x n )> € U(p), and is 
otherwise. V(-p) = 1 if V(p) = 0, and is otherwise, V(pr>q) = 1 if either V(p) =0 or 
V(q) = 1, and is otherwise. V(Vxp) = 1 if for all y e X, V(p) = 1, where V* = <X 
Cy/ xJU>, where [y/ xlU is the mapping derived from U by changing its value at the 
point x to the value y. V(Vxp) = otherwise. If V(p) = 1, we say that V satisfies p, and 
write Vf=p. 

A monotonic .model of a set of formulas S C L is an interpretation V which 
satisfies each formula in S, that is, V(p) = 1 for each formula p € S. A nonmonotonic 
model of a theory A is a pair <V, S>, where V is a monotonic model of S, and S e FP(A). 
When the context makes the intended meaning clear, we will use the term model of A to 
mean either a non -monotonic model, a monotonic model, or an element of FP(A) for the 
theory A. 

Although unorthodox, this definition provides a meaning for formulas Mp 
which reflects the proof-theoretic property that "p is consistent with what is believed". 
This notion is made precise by including in the model a set of "current assumptions" 
(namely, As A (S)). A model for a theory must assign 1 to all of these assumptions, so the 
effect is that Mp is assigned 1 in a model if -^p is not derivable and ^Mp is not derivable 
from the current assumptions and the original theory, that is, if p is consistent with what 
is "believed" in the model Unfortunately, Mp may be assigned 1 in some model even 
when -»p is derivable (for example, when no axiom mentions Mp at all). This indicates 
that the logic is too weak. We will discuss this question later, 

A more elegant approach towards the definition of non-monotonic models might 
involve the definition of a notion of "noncommittal" models, followed by a demonstration 
of a connection between noncommittal models and fixed points of theories. This would 
give the model theory some independence from the proof theory. We have developed such 
an approach for a stronger non-monotonic logic, as discussed later, but this sort of 
approach seems doomed to failure in the present weak logic. 

Much of the unorthodoxy of this semantics stems from the nature of non - 
monotonicity itself. Because the intended meaning of the operator M makes reference to 
the other formulas of the theory, an unusual holistic semantics results in which the 
meanings of formulas involving M depend on the theory as a whole. Thus the semantics 
is quite unlike the Kripkean semantics developed for the standard modal logics. In a later 
section, we will examine such differences in more detail. 

With this definition of model, we can justify the definition of provability. 
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Theorem L (Soundness) If Ahp, then Vt=p for all models <V, S> of A. 

Proof: Assume AHp. If there are no models of A, the theorem follows trivially. 
Otherwise, p is a member of every fixed point of A. But since every model of A is a 
monotonic model of a fixed point of A, every model assigns 1 to p. H 

Theorem 2. (Completeness) If VNp for all models <V, S> of A 1 then Af*p. 

Proof: Assume that it is not true that Ahp. Thus there is a fixed point S of NM^ 
which does not contain p. Now Th(S) = S by idempotence, so Stfp. But the predicate 
calculus is complete, so some monotonic model V of S has V(p) = 0. B .'.-.;. 

It is not surprising that we have completeness, since the definition of truth 
makes reference to provability. The proof was for first-order theories, but it can easily be 
generalized to any complete formal logic. For example, if we take care not to confuse M 
with the SS operator "possibly", we can easily get a complete non-monotonic extension of 
SS. However, none of these observations are very interesting unless we have some 
assurance that provability is decidable. We will shortly present a proof procedure for 
non-monotonic statement theories. 



Fixed Points of Theories t 

This section will try to analyze the structure of fixed points for non-monotonic 
theories. We investigate the number of fixed points of theories, and their relation to the 
provable statements. 

Non-monotonic theories may have varying numbers of fixed points. Classically 
inconsistent theories have just one fixed point (the entire language L) and thus no 
models. The theory T2 in (15) also has no models due to the lack of a fixed point. 
Theories formulated in strictly classical language have exactly one fixed point, as does the 
theory 

(17) T3 = PC u { MC^C }. 

Some theories have several fixed points, e.g. Tl in (14). It is also possible for a theory to 
have an infinite number of fixed points. This is exemplified (we assume equality and an 
infinite domain of unequal constants) by 
(18); T4 = PCu{ VxCMp(x)3[p(x)AVyCx^y3ip(.y)]]] }. 

Even in theories having only one fixed point, the non-monotonically provable 
statements need not coincide with the classically provable statements. Theory T3 above is 
an example, for C € TH(T3), but C £ Th(T3). Some statements will be provable in 
theories with multiple fixed points, but will have different proofs in each fixed point. For 
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example, MCvMD eTH(Tl), and 3xMp(x) € TH(T4). 

The classical results concerning truth and provability for logical languages are 
that, for a given theory A, a formula is valid in A (true in all models of A) if and only 
if it is provable in A, and that the theory has a model if and only if it is consistent 
(cannot be used to derive a contradiction). In non-monotonic logic, somewhat different 
circumstances obtain. As Theorems 1 and 2 have shown, validity in a theory remains 
equivalent to provability. However, from the definition of models of non-monotonic 
theories, it follows that a non-monotonic theory A has a model only if the operator NMa 
has a classically consistent fixed point. Non-monotonic theories can lack fixed points (e.g. 
the theory Tl) , but we have defined such theories to be inconsistent. 

The basic structure theorem states that all fixed points of a non-monotonic 
theory A are (set inclusion) minimal fixed points. 

Theorem 3. If Sj,S 2 € FP( A) and Sj c S 2 , then S 1 = S 2 . 

Proof: If S| e s 2 , then As A (S 2 ) "c As A (S|), so by the monotonicity of Th, 
NM A (S 2 ) ^ NNI A (S 1 ). But since S^ and S 2 are fixed points of this operator, Sn c Si, so 

This result suggests that strict set-theoretic minimality is not a particularly interesting 
distinction among fixed points. In the following sections we will make steps towards more 
interesting classifications, but without a fully satisfactory solution. Important applications 
of this theorem are the following two corollaries. 

Corollary 4. If L is a fixed point of A, then it is the only fixed point of A. 

Proof: If S €FP(A), thenS £ L, so S = L by Theorem 3. B 

Note that if L is a fixed point of A, then A is classically inconsistent, that is, Th(A) = L. 

Corollary 5. If p, -p € TH( A), then TH( A) = L. 

Proof: If A has no fixed points, the theorem follows by definition. If both p and -ip' 
are members of a fixed point S of A, then since fixed points are closed under monotonic 
deduction, S = L. But then FP( A) = {L}, so TH( A) = L. B 

With these results, we can study the notion dual to provability in non-monotonic 
theories. We say that a formula p is arguable from A if p € UFP(A), that is, if some 
fixed point of A contains p. Clearly, all provable formulas are arguable. Our next 
theorem shows that in consistent theories, provability and arguability are almost dual 
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notions. 

Theorem 6. If A is consistent and p is provable in A, then -^p is not arguable. 

Proof: If p is provable in a consistent theory A, then any S € FP(A) containing -p 
would be inconsistent, which is impossible by Corollary 4. B 

Unfortunately, the converse of this theorem is not true. For example, in the theory with 
no proper axioms, -C is not arguable, but C is not provable. We will term the notion 
dual to provability conceivability. Thus all arguable formulas are conceivable, but not vice 
versa. We say doubtless p if and only if -^p j S not arguable. In PC, C is doubtless yet not 

arguable, and in the theory — - 

(19) T5 = PC u { MC^C, NhC=>-iC } 

C is arguable yet not doubtless. Summarizing, we have the following diagram of sets of 

formulas with these properties, where all inclusions are proper. 



CONCEIVABLE 




DOUBTLESS S >* ARGUABLE 



PROVABLE 



It is worthy of note that the provable and arguable statements of a consistent 
theory cannot be classified as the monotonic theorems of the theory augmented by some set 
of assumptions. That h } the set of arguable statements may be inconsistent yet not sum to 
the entire language L, and the set of provable statements may involve assumptions that 
vary from fixed point to fixed point, as in the theory T2 above, where neither the 
assumption MC nor the assumption MD is present in both fixed points. 

Another natural classification is that of "decision". We say that p is decided by a 
consistent theory A if and only if for all S € FP( A), either p € S or -«p € S. The dual to 
this notion is just its negation. In this case we say that A is ambivalent about p if p is not 
decided by A. 
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Corollary 7. If p is doubtless yet decided by A, p is provable. 
Proof: For each S € FP(A), either p € S or -*p ■€ S; yet -ip <£ S, so p € S. fl - - 

The Evolution of Theories 

We now turn to analyzing inter-theory relationships. These are important in 
describing the effects of incremental changes in the set of axioms, and this is the task of 
practical systems like the TMS [Doyle 1978], which has the task of maintaining a 
description of a model of a changing set of axioms. As we shall see, there are many 
unusual phenomena which occur when theories change. The most striking result shows 
that the analogue of the compactness theorem of classical model theory does not hold For 
non-monotonic theories. This has important repercussions on the methods useful in 
constructing "models 11 of theories incrementally. 

Theorem 8. There exists a consistent theory with an inconsistent subtheory. 

Proof: Consider the consistent theory 

(20) T6 = PC u { MC^C, -C }. 
The subtheory PC u { MC^C } is inconsistent. D 

Note, however, that the theory T6 in (20) has as a thesis the formula ^MC, which makes 
it quite different than some previously considered theories. We will discuss this type of 
theory in more detail later. 

In many cases, the changes in fixed points induced by changes in theories is less 
drastic than those apparent in the previous theorem. The simplest cases are as follows. 

Theorem 9. If A is consistent, and p is arguable in A, then A* = Au{p} is consistent, and 
FP(A')nFP(A) * 0. 

Proof: Since p is arguable, there is some S e FP(A) such that p € S. But clearly, S is 
then also a fixed point of NM A «. Q 

Unfortunately, this theorem cannot be strengthened to conclude that FP(A') is contained 
in FP(A), since in the theory 

(21) T7 = PC u { MC^D, MD^C, -M } 

there are two fixed points, call them Fl and F2, with n'C € Fl, E € Fl and -»D e F2, 
E <t F2. Extending this theory by adding the axiom E produces a theory also with two 
fixed points, one of which is Fl, but the other fixed point F3 differs from F2 in that 
E € F3 and M-E $ F3. 
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Theorem 10. If A and A* = Au{p} are consistent and FP(A)nFP(A') * 0, then p is 
arguable in A. r 

Proof: Since p e A', p e S for every S e FP(A'). Thus p e S for some S € FP(A). B 



Theorem 11. If A and A* = Au{p} are consistent, then p is provable in A if and only if 
FP(A') =FP(A). ■■■■. 

Proof: If p is provable in A, p e S for every S € FP(A), so each member of FP( A) is 
also a member of FP(A'). If FP(A) = FP(A'), then since p € S for each S e FP(A'), 
p e S for each S e FP(A), so p is provable in A. D 

The import of these theorems is that if a new axiom is already implicit in the 
current axioms, either no change of fixed point is necessary, or a simple shift to a 
different fixed point of the previous axioms is allowable. When considering changes 
which delete axioms from theories, the basic problem is the non -compactness result 
mentioned above. Other interesting questions are of the form "how few axioms must be 
added or removed to remove p". Answers to these questions will in general depend on the 
specific theory in question. 

Another important phenomenon is the "hierarchy of assumptions" CDoyle 1978], 
in which some non-monotonic choices depend on others. This manifests in terms of fixed 
points as the addition of new axioms increasing the number of fixed points of the theory. 
For example, adding the axiom E to the theory 
(22) T8 > PC u { [EaMC3=hD, CEaMDI^c } 

increases the number of fixed points from one to two. In this case, E can be interpreted as 
the reason for choosing between -<C and ^D. 

To get a global view of theory evolution, we consider the set of all consistent 
theories containing a consistent theory A as a subtheory. For a formula p, we can 
consider the evolution of the properties of p of being arguable, provable, or decided over 
sequences of extensions of the theory A. The evolution of arguability is mainly a question 
of control structures; this is the point of the encoding of control primitives in non- 
monotonic dependency relationships given by Doyle Q9781 We have at present no way of 
describing the evolution of decision. However, analysis of the relationships between the 
theories and their extensions will shed light on how our semantics for Mp matches the 
intuitive notion of "p can be added consistently to the theory". 

We say that p is assumable in a consistent theory A if the theory Au{p} is also 
consistent. We name the dual notion by saying that p is uncontroversial in a theory if -p 
is not assumable in the theory. The matching of the semantics of non-monotonic logic 
with this more standard notion of consistency will be apparent upon examining the 
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correlation between assumability of p and the arguabihty of Mp in a theory, since this 
latter condition would seem to say there is a coherent interpretation of the axioms in 
which p is consistent. Our logic is weak, however, and so this correlation is weak, (The 
correlation is much stronger in the stronger logics mentioned later.) As an approximation, 
we note that Mp is arguable if p is arguable, and so instead attempt to correlate 
arguability of p with assumability of p. This correlation is as follows. By Theorem 9 the 
assumable formulas includes the arguable formulas, but not vice versa since C is assumable 
but not arguable in PC. The assumable formulas are incomparable with the conceivable 
formulas, since C is conceivable but not assumable in 

(23) T9 = PC u { C^CDaCMD^D]] }, 

and -*C is assumable but not conceivable in the theory T3 of (17). Also, the assumable 
- formulas are incomparable with the uncontroversial formulas, since C is assumable but not 
. uncontroversial in PC, and C is uncontroversial but not assumable in 

(24) T10 = PC u { C^EDaCMD^D]], -OCEaEME^EU }. 

We specify another classification by saying that a formula p is safe in a 
consistent theory A if and only if p e TH(A') for all consistent A' such that Ae A', and 

that p is forseeable if and only if -^p is not safe. Let Safe(A) = {p: p is safe in A}. We 

then can characterize the set Safe( A) as follows. 

f*^ ■rrr : :];i'\y- Theorem 12. If "A. is consistent, then Safe(A) is the least set such that the following three 
conditions hold: 

(i) AcSafe(A) 

(ii) Th(Safe(A)) = Safe(A) 

(iii) If p € Safe(A), then Mp € Safe(A). 

Proof: The first two cases are correct because all formulas classically deducible from safe 

formulas (in particular the axioms) will remain classically deducible when the set of 

axioms is enlarged. The case of interest is (iii), which declares that "covered" 

-^, : . 1W .- -. assumptions are safe. That is, if p_ € Safe(A), then -^p cannot be a member of any 

consistent extension of A, so Mp will be a member of every consistent extension; thus Mp 

';..■■ is safe, i 

It is clear that all safe formulas are both assumable and uncontroversial, and 
that these inclusions are proper. Elementary considerations show further that the 
forseeable formulas include the assumable and uncontroversial formulas, but again, not 
vice versa. Also, the provable formulas properly include the safe formulas with theory T3 
in (17) as the example, and the forseeable formulas properly include the conceivable 
formulas via the same example. 

A weakened version of assumability is produced by saying that p is realizable in 
a consistent theory A if there is some consistent theory A' such that A £ A* and p € A\ 
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We also say that p is undeniable if and only if -^p is not realizable. Clearly, the realizable 
formulas include the assumable formulas, but the converse does not hold as MC^C is not 
assumable in PC but is an axiom of the consistent theory T6 in (20). The forseeable 
formulas obviously include the realizable formulas, but not vice versa since C is forseeable 
but not realizable in the theory T9 of (23). Also, the realizable formulas are 
incomparable with the conceivable formulas, since C is conceivable but not realizable in 
T9 of (23), and -»C is realizable but not conceivable in T3 of (17). The example of T10 
in (24) provides an example of what following Kripke might be called the paradoxical 
formulas of a theory, formulas (in this case C) such that neither they nor their negations 
are realizable. The example of T9 in (23) provides an example of what might be called 
the intrinsic formulas of a theory, formulas (in this case -C) which are realizable and 
undeniable. 



inclusions. 



Putting all these observations together, we arrive at the following diagram of 



FORSEEABLE 



CONCEIVABLE 



DOUBTLESS 



ilUNCONTROVERSIAL 



UNDENIABLE 




REALIZABLE 

ASSUMABLE 
ARGUABLE 



PROVABLE 



SAFE 

This illustrates the distinction between arguability and assumability, that arguability does 
not completely capture the notion of assumability. This is probably to be expected from 
the Tarski-Gbdel results on the indescribability of consistency within consistent theories. It 
would be interesting to see a more careful analysis of this situation. One goal of such an 
analysis might be to connect the logic of incomplete information implicit in non-monotonic 
logic to other logics of incomplete information, such as the S4 interpretation of the 
intuitionistic predicate calculus CHeyting 1956, Kripke 1965], Kripke's theory of truth 
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CKripke 1975; cf. Martin and Woodruff 1976, Takeuti 1968], and Lipski's theory of 
incomplete models CLipski 1977; cf. Van Frassen 1966, A. Robinson 196S1 The S4 
interpretation of IPC tries to describe the gradual accumulation of mathematical truths, 
and seems closely related to our notion of safety. Kripke's theory of truth has strong 
similarities to the current theory, for it develops models for the truth of self-referential 
and theory-referential statements which are fixed points of a certain operator on partially 
defined truth -predicates. Since the acceptable models of truth are restricted to be fixed 
points of this operator, there can be never-decided paradoxical statements. The logic of 
the natural notions of possibility and necessity thus are not dual, but instead form a 
diamond relationship similar to the case for non-monotonic assumability and safety. 
Lipski's theory of incomplete models is considerably simpler and stronger than either 
Kripke's theory or non-monotonic logic, for his incomplete models can be constructed from 
any partial extensions of the predicates of the language, thus producing a certain 
completeness in the set of possible models. This logic is particularly interesting in that it 
allows for the truth value of formulas to change arbitrarily often upon successive 
extensions of models. 

In the above we have been concerned only with ways of describing the evolution 
of theories upon the addition of new axioms. One might also define descriptors for the 
case of removing axioms, or for the past history of provability. For example, assuming 
that all subtheories of A are consistent, we might say that p is untested if p is conceivable 
in every subtheory of A. (Cf. CHeyting 1956, p. 115]) Are there interesting descriptors of 
this kind? If so, what are their properties? We have not investigated these questions, but 
suspect they may be fruitful. 



A Proof Procedure for Non-Monotonic Statement Theories 

In this section, we demonstrate a proof procedure for the non-monotonic 
statement logic. This procedure is based on the semantic tableau method for the ordinary 
sentential calculus. [Beth 1958] In this method, a systematic attempt is made to find a 
falsifying interpretation for a formula under test. The formula is labeled "false" or "0", 
and semantic rules guide further labeling in an obvious way. For example, to show 

EC ^D] dKvD], 
start by labeling the formula false: 



[C d DJ d [-C-v D] 




For it to be false, its antecedent must be true and its consequent false: 
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[C > DJ 3 K v DJ 
1 

and similarly for disjunction and negation. In order to proceed further, the tableau must 
split into two cases to handle the embedded implication: 

I. [C d DJ d [-C v D] 

1 01 

II. tC :> D] d HT v Dl 

1 1 1 01 



In case 1„ C is labeled both 1 and 0. In case II., D is labeled both 1 and 0. Thus there is 
no falsifying model, and the formula is valid. 

.. On the other hand, consider the tableau for CC V D] => CC A D3: 

(25) [C v Dl d [C a Dl 

-'■■ '1 '■ 8"" "'" - ' 



XC v Dl 


d EC a Dl 




11 









tC v Dl o 


[C a Dl 




11 







tc'v Dl d 


[C a Dl 




1 1 


1 


tC v DJ 


o tC a DJ 




1 1 









[C v Dl d 


[C a D] 




1 1 


1 




'tC'v Dl d 


[C a Dl 




1 110 


10 



CLOSED 



OPEN 



OPEN 



CLOSED 



This tableau has been split twice, for a total of four branches. Two branches are closed as 
before, that is, some formula is labeled both true (1) and false (0). But two are open, 
that is, there is an exhaustive consistent labeling of formulas. This means that there are 
two falsifying models, so the formula is not valid. (Notice that we could have been more 
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clever in labeling the lines of this tableau. In the second line, for instance, we could have 
labeled both Cs at once, forcing the Us to be labeled 0, and arriving at an open branch 
immediately.) 

We will extend this procedure to handle non-monotonic statement theories. 
Without going into details, we assume an implementation of the algorithm just alluded to, 
which takes a goal and generates the complete tableau for it. (E.g., the goal of (2S) is 
CCvDD^CCaDI) A tableau has several branches, each a consistent labeling of 
subformulas if one exists (when the branch is open), else a partial labeling (when it is 
closed). The tableau is the result of applying all rules to the goal. Two tableaux are 
equal if and only if they have the same goal. The tableau of a formula is obviously 
computable, since the number of branches is no greater than 2 N , where N is the number 
of subformulas of its goal. 

We state without proof the following properties of the tableau method : 

The procedure is complete in the sense that a formula is provable if and only if 
its tableau has all closed branches. 

The procedure is exhaustive in the following sense: if X and Y are sets of 
formulas such that X £ Y and Yh sc p but Xf/ sc p, then in the tableau for p, in every 
open branch there is some element of Y-X labeled 0. 

For non-monotonic logic, we need to generalize to tableau structures. If A is a 
statement theory, and p is a formula whose provability is to be tested, then <A, p, t, X> 
is an A -tableau structure if and only if t is the tableau with goal A=>p; and X is the 
smallest set such that t € X, and if t' e X, then if Mq appears labeled in some branch b 
of t\ then t" € X, where f is the tableau with goal ' A=>iq. In this last situation, we say 
that t' mentions t" in branch b. 

In the classical procedure, a tableau is closed if all its branches are, and this can 
be determined unambiguously. In the case of a tableau structure, we can't tell whether a 
tableau is closed until we have determined the status of the tableaux it mentions, and 
there may be loops to contend with. 

Therefore we introduce the notion of an admissible labeling of a tableau 
structure, an assignment of one label, either OPEN or CLOSED, to each tableau in the 
structure, such that: 

(a) If the tableau with goal A^q is labeled OPEN, then every occurrence of Mq is 
labeled 1 in every tableau, and 
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(b) A branch is labeled CLOSED if and only if some formula is labeled both and 1 
in that branch. 

-- ..- The proof procedure creates tableau structures and labels them, as follows. 

Given A and p, the first step is to construct the tableau with goal A=p. All other tableaux 
needed are then constructed. That is, if some constructed tableau has a formula Mq 
labeled in an open branch, then construct the tableau with goal A=>--q if that tableau 
was not previously constructed. The tableau structure is then checked for admissible 
labelings by examining all possible labelings of the tableaux for labelings satisfying the 
admissibility test. This test consists of first labeling with 1 each occurrence of Mq in the 
tableau structure provided that the structure contains the tableau with goal A^q labeled 
OPEN. Then the labeling is admissible if all tableaux labeled OPEN have some open 
branch, and all tableaux labeled CLOSED have every branch closed. If in all admissible 
labelings the initial tableau with goal A=>p is labeled CLOSED, then p is provable, and 
otherwise is unprovable. We will shortly prove the correctness of this algorithm. 

We first present some examples. In the theory v 

(26) Tll."= SC u { MC3-.D, MD3--E, MEs-iF } 

(see CSandewall 19723) the Til -tableau structure for iF has only one admissible labeling: 



Til ;'- MCd-D 

' ; ' ; 1 

'..■' .'MDb-E 
1 
MEd-F 



t -F I f -E |t" -jj I t'" -C 

01 I 81 I 81 I 81 

ME | MD' | MC | 

8 I 8 | | 

I I I 

CLOSED | OPEN | CLOSED I OPEN 



Notice that we don't bother to copy the axioms in each tableau, but only those parts that 
become relevant. The tableau structure shows that --F € TH(Tll) , but --C $ TH(Tll). 

Another example is the T12-tableau structure for ->C, where 

( 27 ) T12 = SC u { MC3.D, MDo-C }. 

T12 - HCd-D I t -C I t' ■: -D 

1 ,;.'• I 81 | 01 ' "• ; 

MDd-C I MD | MC 

1 I 8 |0; 

This tableau structure has two admissible labelings. If t' is labeled OPEN, t is labeled 
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CLOSED, and vice versa. So there is an admissible labeling in which t is labeled OPEN, 
and ->C is not provable. 

On the other hand, the T12-tableau structure for MCvMD looks like this: 

T12 = MCd-D |t MCvMD | t' -C | t" -D 

1 | 00 | 01 | 01 

nD^G | | MD | MC 

1 I I | 

Again, there are two admissible labelings, but in both of them t is labeled CLOSED, so 

.,.._..._.__,. MCvMD is a theorem of T12. 

(The tableau structures just given are not really complete. It is left as an 
exercise for the reader to show that using the axioms to split each tableau into branches 
will not change the outcome.) 

Theorem 13. The proof procedure always halts and finds all admissible labelings of the 
tableau structure for its goal. 

^ Proof: The theorem is easily seen true by noting that because the set of proper axioms 

of the theory is finite, only a finite set of tableaux can be constructed. Once this is done, 
there are only finitely many labelings to cycle through, with trivial checks for 
admissibility and provability. D 

The next two lemmas guarantee the correctness of the approach. 

Lemma 14. If S is a fixed point of NM A , there is an admissible labeling of the tableau 

structure for A=>p such that p.e.S if and only if the tableau is labeled CLOSED in that 
,.,.,v,*; labeling. 

Proof: Let S e FP(A). We will construct the admissible labeling. In the tableau 
structure for A=>p, label a tableau OPEN if the goal of the tableau is A=>q and q * S. 
Consider one of the remaining tableaux, with goal A^r. There must be a minimal set of 
elements X = {M qjl , ..., Mq n }, such that X £ As A (S) and XH A r. If X = #, then the 
tableau for A=>r is closed no matter how assumptions are labeled. Otherwise, by 
exhaustiveness, every branch of the tableau has some Mq 4 e X labeled 0. So there will be 
a tableau for each such As-^. But these tableaux will be labeled OPEN (because 
-■qj £ S), so the corresponding branch of the tableau for A ^r will be CLOSED. So the 
whole tableau for A^r will be CLOSED. Further, no open tableau will be labeled 
CLOSED, because then there would be a proof of its goal from assumptions. Thus, if the 
■,-S tableau for A^p is labeled CLOSED, it can be proved from assumptions in As A (S), so 
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pes. If it is OPEN, p t S by construction. D 

Lemma 15. If there is an admissible labeling for the tableau structure for A=>p, there is a 
fixed point S of NM A such that, for every tableau with goal A=>q, the tableau is labeled 
CLOSED if and only if q e S. 

Proof: We construct S from the labeling. Let R Q be the set of formulas Mq such that the 
tableau for A^q is labeled OPEN. Let S Q ; Th(AuR Q ), and let Mq 1? Mq 2 , ... be an 
enumeration of all the formulas of the form Mq in L-R n , with the property that if Mq- is 
a subexpression of Mqj, then i < j. (E.g., MC is a subexpression of lVhIVIC.) 

Define R j+1 and S j+1 , for i = 0, 1, ... as follows: 

R i+1 = Rj if'-q i+1 .e S,, else \= RjulMq^}, and 

; S i+1 = Th(AuR i+i ). 

Now let S = UjTo S j5 and R = U& Rj. Clearly, S { G S i+1 and S = Th(AuR). 
Since NM A (S)=Th(AuAs A (S)), we can show that NM A (S) =S by showing that 
f\ J^ ~ As A (S). 

:■' '^^Lr 1 "*?: to shiow ..^ s A^ S ^ c R - Let "^ * S - We win show M( l € R - ,f M q € % then 
since Rq £ R, Mq € R. Otherwise q must be some q { . If -.q $ S, then iq <2 S, i, so 
Mq eR., soMq'e-R. -:■■ 

Second, to show R s As A (S), that is, if Mq € R, then nq * S. There are two 
cases. If Mq e Rq, then there is an OPEN tableau for A^q. Assume that -^q e S. Then 
there must be a k>l such that -q.e S R and -q t S k _ 1 . So R R l" A -q and R k _i^ A -q. But 
then by exhaustiveness, Mq k is labeled in the tableau for A=>-, q . So there is also a 
tableau for A^. if this tableau is OPEN, then Mq k € R Q . If this tableau is CLOSED, 
Mq k e S , and hence Mq k e S^. Either way, R k = R k _ x , which is impossible. 

In the other case, q will be some q t , so Mq e R j} and nq'« S^. Assume that 
->q e S, that is, -q is an element of some S k , k>i, and ^q t S R _j. Then R k h A -.q but 
R k-1 ^A ^\ so {Mq k }uR k _ x h A -iq. 

Now, Mq k does not occur as a subexpression of q = qj (since k>i), so Mq k must 
occur in the axioms A. So in some branch of the tableau for A=>-q, Mq k must be labeled 
0. But this means that Mq k must be labeled in some branch of the tableau for A=>p, for 
f\: any p. So any tableau structure must have a tableau for A=>nq k . This tableau must be 

OPEN, or ^q k would be a member of S Q , and hence a member of S R _ 1 . So Mq k e R Q , so 
R k = R k _X> which is a contradiction. 
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It remains to show that the labels agree with the fixed point. If the tableau for 
A3^ q is OPEN, then Mq € S by construction. If it is CLOSED, there is a proof of -q 
from Rq, so -^q € Sq. But Sq G S, so the final labeling agrees as well. B 

Theorem 16. If A is a statement theory (a finite extension of the sentential calculus), then 
non-monotonic provability in A is decidable. 

Proof:. Let <A, p, t, X> be the tableau structure for a formula p. If the procedure labels 
t CLOSED in every admissible labeling, then there is no fixed point of NM A which does 
not contain p, since there then would be an OPEN labeling. So p is in all fixed points, 
and hence provable. If the procedure labels t OPEN in some admissible labeling, there is 
a fixed point of NM A which does not contain p, so p is unprovable. B 

The proof procedure extends a previous procedure due to Hewitt Q972], and 
embodied in Micro-PLANNER CSussman, Winograd and Charniak 19713, a computer 
programming language for (among other things) mechanical theorem proving. A practical 
implementation of this procedure would interleave the building and labeling of tableaux, 
and would avoid building a complete tableau structure when unnecessary. We invite you 
to compare this procedure with, for instance, the tableau -structure method for S5. [Hughes 
and Cresswell 1972] One difference between these procedures is that the present procedure 
^-V splits tableaux into branches before generating alternatives, while the SS procedure splits 

the whole set of alternatives into branches. 

The Truth Maintenance System 

The only known adequate solutions to the handling of non-monotonic proofs are 
Doyle's T19783 TMS program and its relatives [London 1977, McAllester 19781 With our 
theoretical results in hand, we can present an approximate description of what this 
program does. The TMS has two basic responsibilities: 

(a) It maintains a data base of proofs of formulas generated by an independent 
proof procedure or perceptual program. In our terms its goal is to avoid the presence of 
both -^q and Mq in the data base simultaneously. 

(b) It detects inconsistencies, and adds axioms to a theory in order to eliminate them. 

The TMS keeps track, for each formula in the data base, of the formula's 
justifications. A justification of a formula p is a set { Pl , ... p n } of formulas which entail 
p. Such a justification may be viewed as a fragment of the tableau for A=>p; that is, for 
each branch of p's tableau, the justification contains a formula p i labeled in 'that 
branch. 
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The basic TMS algorithm searches for a labeling of formulas involved in 
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justifications. It obeys two principles; p is labeled 1 if and only if all the formulas in 
some justification of p are labeled 1, and Mp is labeled 1 if and only if -p is labeled 0. 
When the TMS finds a labeling satisfying these conditions, it arranges the data base so 
:_...:.-.. that only formulas labeled 1 are "visible" to the higher-level proof procedure or program. 
Thus, from the point of view of a program using the TMS, it chooses a subset of formulas 
to "believe". These formulas are said to be in; the other formulas are out. ' 

This is reminiscent of our proof procedure's search for admissible tableau 
labelings, but there are some important differences. The TMS operates on partial sets of 
tableau fragments, so its decisions may require revision as new fragments (justifications) 
are discovered. But there is a more striking difference between our proof procedure and 
- the TMS. The TMS searches for just one admissible labeling of its tableau fragments, not 
all such labelings. The most it can hope to find is one fixed point (actually, a finite 
subset of one), not all of them. In the terminology we developed earlier, it finds some of 
the arguable formulas rather the than provable formulas. For example, consider its 
behavior on the theory T12 in (27). In this theory, MC is arguable, and so is MD, but 
neither is provable (only MCvMD is provable). Nonetheless, the TMS, given the 
justifications {MC} of -D and {MD} of -C, will pick one of {MC, MD} to be in, and the 
other to be out. 

^;:-h: ; .. - : > /There are several justifications for such jumping to conclusions. One is that 
since all arguable formulas are also assumable, these decisions may at worst lead to later 
shifts in fixed points. That is, since arguable formulas might be added consistently later 
on, it cannot hurt much to act on the assumption that they will be added. A more 
pressing rationale for this behavior is that the program or proof procedure using the TMS 
typically depends on beliefs of certain types to decide what to do, and cannot abide by 
suspended judgement; even if there is a choice of possible circumstances, the program 
expects the TMS to decide on one so that action may be taken. 

° f . course^ jumping to conclusions in this manner introduces the problem of 
havin S to choose between fixed points of the theory. In many cases this problem solves 
itself because of the way the TMS is typically used. Usually a program using the TMS is 
attempting to discover which fixed point of a theory corresponds to the real world. The 
best way to do this is to pick one model and stick with it until trouble arises, and then 
salvage as much information as possible by making as few changes as necessary. 
"Trouble" can take the form of new information or new deductions from old information 
conflicting with old information or assumptions. Either way, the response is the same; to 
switch to a new fixed point. Programs frequently try to organize their use of the TMS so 
as to ensure the case of a single fixed point being the usual case. However, it is usually 
not possible or desirable to completely determine in this fashion how the TMS should" 
decide between alternate fixed points. One way even more information of this sort might 
be used would be to employ Rescher's C1964] suggestion of modal categories as a method 



il 



f-\ 



(T\ 



for selecting among the various fixed points generated by a theory. That is, suppose the 
formulas of the language are segmented into n+1 modal categories L = M n u...uM . Then 
given fixed points of a theory A as Sj, ..., S m , with corresponding sets of assumptions Aj, 
..., A m , we can segment the Aj into components A 1>0 , ..., A^ n , .„, A m0 , ..., A m n in 
concordance with the modal categories. We can then rank the fixed points by schemes 
involving orderings on the vectors of assumption components. Adding such devices to 
TMS-like systems is an interesting topic for future research. 

The two goals of the TMS, to prevent both ^p and Mp being in, and to prevent 
both p and ^p being in, give rise to two different types of activity. In the first case, when 
a new justification is discovered for some formula which then invalidates some current 
assumption, the TMS must reexamine the current labeling to find a new labeling 
consonant with the enlarged set of justifications. This process is fairly straightforward, 
although there are important special cases concerning circular proofs which require special 
care. This process thus takes on the appearance of a relaxation procedure for finding an 
acceptable labeling, and then determination of non-circular proofs for all formulas 
labeled 1. . 

The second type of inconsistency handled by the TMS, that of p and ->p being 
in, requires somewhat different treatment. In the first type of process just described, the 
TMS uses justifications in a unidirectional manner, determining labelings of formulas from 
the labelings of the formulas of their justifications, and not vice versa. In the second case, 
the TMS must traverse these justifications in the opposite direction, seeking the 
assumptions underlying the conflicting formulas. This is why the: non-circular proofs are 
important tools. To resolve the inconsistency of these assumptions, the TMS converts the 
problem to one of the first type by producing a new justification for the denial of one of 
the assumptions in terms of the other assumptions. This might be viewed as the TMS 
sharing the weakness of our logic; it cannot rule out an assumption Mp by deriving -<Mp, 
but must instead produce a derivation of ^p. This second process is called dependency- 
directed backtracking CStallman and Sussman 19771 

For example, the existing theory may be { MC=>E } in which both MC and E 
are believed. Adding the axiom MD^E leads to an inconsistent theory, as MD is assumed 
(there being no proof of>D), which leads to proving -E. The dependency-directed 
backtracking process would trace the proofs of E and -E, find that two assumptions, MC 
and MD, were responsible. Just concluding -MCv^MD does no good, since this does not 
rule out any assumptions, so the TMS adds the new axiom E=>^D which invalidates the 
assumption MD and so restores consistency. There are many subtleties involved, as 
discussed in [Doyle 19781 

Of course, with non-monotonic logic there is also another kind of inconsistency, 
that due to there being no fixed point at all. It can be shown CCharniak et aL 19191 that 
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the TIMS will always find a fixed point of a theory if every subset of the theory is 
consistent. Unfortunately, the IMS program can loop forever if given a theory with ah 
inconsistent subtheory, as the check which could prevent this failure is quite expensive 
and only rarely needed in practice, and thus has been omitted from the program. 

As we mentioned, this description of the behavior of the TMS is only 
approximate. The TMS is incomplete in a certain practically unimportant way; it will not 
conclude D from the axioms C^D and OD. This type of reasoning is the responsibility 
of the program or proof procedure employing the TMS. The above description is slightly 
inaccurate in other ways as well, in that the logic of the TMS does not seem to be precisely 
the non-monotonic logic we have developed here. For example, the TMS really deals with 
only four formulas for each real formula p; Mp, M-ip, Lp, and L^p. It does not allow 
contradictions of the form LpAM^p, but does tolerate inconsistencies of the form LpAL-p 
if no assumptions can be found underlying these formulas. This suggests a somewhat 
different logic than that previously described, or at least a different interpretation of the 
TMS in terms of non-monotonic logic. This type of logic seems reminiscent of BelnapV 
C19.761 four-valued logic of belief. It would be interesting to pursue the connections 
between non-monotonic logic, the TMS, and Belnap's logic of belief and relevance logics. 
CAnderson and Belnap 1975] Other ways the description of the TMS might be improved 
would be to study its algorithmic efficiency to perhaps improve that efficiency, and to 
guarantee that the TMS will always find a consistent extension of a theory when one 
exists. 



Discussion 

In contrast to classical logics, the non-monotonic logics examined in this paper 
have the property that extending a theory does not always leave all theorems of the 
original theory intact. Such logics are of great practical interest in artificial intelligence 
research, but have suffered from foundational weakness. We have tried to repair this 
weakness by providing analyses of non-monotonic provability and semantics. Our 
definitions lead to proofs of the completeness of non-monotonic logic and the decidability 
of the non-monotonic sentential calculus. 

The area of non-monotonic logic is ripe for further research. Some open 
problems have been mentioned in the preceding sections. In the following, we list some 
further interesting topics. 

The major problem for non-monotonic logic is deciding provability for more 
general cases than statement theories. Unlike classical logic, it appears that the non- 
monotonic predicate calculus is not even semi-decidable. That is, there seems to be no 
procedure which will tell you when something is a theorem. If there were, then we could 
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use it to decide whether p was a theorem of number theory by trying to prove p and Nhp 
simultaneously, since one of these must be a theorem (as there is only one non-monotonic 
fixed point of number theory). 

Are there special cases in which provability is decidable or semi-decidable? We 
conjecture that many theories of interest to artificial intelligence are asymptotically 
decidable, in the following sense: there is a procedure which is allowed to change its 
answer an indefinite number of times about whether a formula is provable, but changes 
its answer only a finite number of times on each particular formula. (See for example the 
problem solving procedures given in Cde Kleer et al 1977]. Note also that classical first- 
order provability is asymptotically decidable by a procedure that changes its answer only 
once; answer "unprovable" and then call any complete proof procedure, changing the 
answer if the proof procedure succeeds.) Asymptotic decidability is a fairly weak, property 
of a predicate, but it isn't vacuous since there are predicates (such as totality) which are 
not decidable even in this sense. Furthermore, a procedure of this kind could be useful in 
spite of the provisional nature of its outputs, since a robot always has to act on the basis 
of incomplete cogitation. Unfortunately, it appears that even for some finite first-order 
theories, provability is not asymptotically decidable. We must look for useful special cases. 

r We have presented a formalization of non-monotonic logic which, although very 

weak, captures most of the important properties desired, especially with regard to the 

-structure of models of non-monotonic theories and their behavior upon extension by new 
axioms. The logic seems to be adequate for describing the TMS, an ability following 
naturally from the structure and evolution properties just mentioned. The logic also 
admits a proof of completeness and a proof procedure for the case of statement theories. 

Unfortunately, the weakness of the logic manifests itself in some disconcerting 
exceptional cases which, while essentially irrelevant to the structure and evolution 
properties, indicate that the logic fails to capture a coherent notion of consistency. For 
example, the theory 

(28) T13 = PC u { MOD, ^D } 

is inconsistent in our logic because although -^MC follows from -^D and MOD, -C does 
not follow, thus allowing MC to be assumed; and so the theory fails to have a fixed 
point. This can be remedied by extending the theory to include -C, the approach taken 
by the TMS, but this extension seems arbitrary to the casual observer. As it happens, 
axioms like MOD are much less common in applications than the unproblematic MOC,' 
but it would be nice to get rid of this problem. Another incoherence of our logic is that 
consistency is not distributive; MC does not follow from MCCaDI Our logic tolerates 
axioms which force an incoherent notion of consistency, as in 
(29 > ■''■■;• T14 = PC u,{ MC, iC }. 

A stronger logic might not allow this by forcing such theories to be inconsistent. 
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We will remedy this situation a forthcoming paper, wher we present a 
strengthened logic such that each fixed point of a consistent theory in the logic will possess 
a coherent notion of consistency. This is achieved by augmenting the logic to contain 
extensions of S5 in each fixed point. This fixes the problems mentioned above on the 
exceptional cases, and preserves the behavior of the logic on the vast majority of cases, in 
that all of our results concerning the structure, interrelationships, and evolution of models 
of non-monotonic theories carry over to the new logic. In addition, some new results 
permit a very elegant description of the logic of theory evolution. This strengthing of the 
theory is not quite as drastic as it may seem, for parts of SS are already present in the 
current logic. For example, all instances of the schema Lp=>p (or p=>Mp) are provable, 
and hence true in all models of any theory in the current logic; the difficulty is that some 
of these theories are inconsistent, but would be consistent in the SS extension. These 
improvements have their price, however. Since the new logic includes extensions of SS, 
the definition of model must be revised, and a new proof of completeness must be 
presented. For the same reason, the proof procedure for statement theories must be 
altered, thus requiring a new proof of correctness. As a bonus, however, the stronger 
logic has a more elegant model theory, in which the notion of a "noncommittal" model is 
correlated with the proof-theoretic notion of a fixed point of a theory. 

Tnere are several problems of a mathematical nature raised by non-monotonic 
logic. What are the details of the relationship between non-monotonic logic and the logics 
of incomplete information? What are the effects of different rules of inference on the 
construction of non-monotonic models? What are the details of the evolution of the 
properties of decision and provability? Are there interpretations of non-monotonic logic 
within classical logics? Are there connections between non-monotonic logic and logics with 
statements of infinite length? Is there a topological interpretation of non-monotonic logic 
in analogy to the topological interpretation of the intuitionistic calculus? 

There are also a number of more speculative and long range topics for 
investigation raised by non-monotonic logic. The revision of beliefs performed by 
artificial intelligence programs can be viewed as a microscopic version of the process of 
change of scientific theories. ( For a figurative description of such processes which is very 
close to a true description of non-monotonic logic and the TMS, see the beginning of 
section 6 of Quine's Two Dogmas of Empiricism.) Can the ideas captured in non- 
monotonic logic be used to describe the general process of scientific discovery, or 
pragmatic behavior in general? How are the holistic semantics of non-monotonic logic 
related to changes in meanings? (Cf. particularly CDummett 19731) What are the trade- 
offs involved in jumping to conclusions? How costly is the suspension of judgement? Can 
non-monotonic logic be used to effectively describe and reason about actions, commands, 
counterfactuals, and causality? 
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